SBOM Standards

Compares the characteristics of SPDX and CycloneDX, the two leading SBOM standards, and presents criteria for choosing the one that fits your project.

Major SBOM Standards

Two standards are in wide use today, and both are accepted for submission to SK Telecom. They differ in their origins and primary focus areas.

  • SPDX (Software Package Data Exchange): A standard led by the Linux Foundation (ISO/IEC 5962). Developed to exchange open source license information, it expresses license and copyright information in detail and can carry information down to the individual file level.
  • CycloneDX: A security-focused standard developed by OWASP (ECMA-424). Designed from the start for vulnerability management, it has a compact structure and integrates well with security tools.

SPDX vs CycloneDX

AspectSPDXCycloneDX
Governing bodyLinux FoundationOWASP
Standard certificationISO/IEC 5962ECMA-424
Primary purposeLicense complianceSecurity vulnerability management
Structural complexityHigh (detailed)Low (compact)
File-level trackingSupportedLimited
Vulnerability informationOptionalBuilt in
Tool ecosystemMatureGrowing fast
File formatsJSON, RDF/XML, YAML, Tag-ValueJSON, XML
Typical usersLegal teams, open source program officesSecurity teams, DevOps engineers
SKT recommendationWhen license verification is the main goalWhen vulnerability management is the main goal

Whichever format you use, acceptance is decided by content, not format. Pick the format your generation tool supports and meet the required fields in the Submission Requirements.

Converting Between the Two

Conversion tools are available between SPDX and CycloneDX.

SPDX to CycloneDX

# Using cyclonedx-cli
cyclonedx convert --input-file sbom.spdx.json \
  --output-file sbom.cdx.json --input-format spdx \
  --output-format json

CycloneDX to SPDX

# Using spdx-tools
java -jar tools-java-1.1.0-jar-with-dependencies.jar \
  Convert bom.cdx.json bom.spdx.json

References